On 2017年02月02日 18:46, P J P wrote:
From: Prasad J Pandit <p...@fedoraproject.org> i.MX Fast Ethernet Controller uses buffer descriptors to manage data flow to/fro receive & transmit queues. While transmitting packets, it could continue to read buffer descriptors if a buffer descriptor has length of zero and has crafted values in bd.flags. Set an upper limit to number of buffer descriptors. Reported-by: Li Qiang <liqiang...@360.cn> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> --- hw/net/imx_fec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) Patch v2 -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05554.html - Restrict loop in 'imx_enet_do_tx' to IMX_MAX_DESC descriptors.
Applied, thanks.
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c index 50c7564..90e6ee3 100644 --- a/hw/net/imx_fec.c +++ b/hw/net/imx_fec.c @@ -55,6 +55,8 @@ } \ } while (0)+#define IMX_MAX_DESC 1024+ static const char *imx_default_reg_name(IMXFECState *s, uint32_t index) { static char tmp[20]; @@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)static void imx_fec_do_tx(IMXFECState *s){ - int frame_size = 0; + int frame_size = 0, descnt = 0; uint8_t frame[ENET_MAX_FRAME_SIZE]; uint8_t *ptr = frame; uint32_t addr = s->tx_descriptor;- while (1) {+ while (descnt++ < IMX_MAX_DESC) { IMXFECBufDesc bd; int len;@@ -453,12 +455,12 @@ static void imx_fec_do_tx(IMXFECState *s) static void imx_enet_do_tx(IMXFECState *s){ - int frame_size = 0; + int frame_size = 0, descnt = 0; uint8_t frame[ENET_MAX_FRAME_SIZE]; uint8_t *ptr = frame; uint32_t addr = s->tx_descriptor;- while (1) {+ while (descnt++ < IMX_MAX_DESC) { IMXENETBufDesc bd; int len;
